Virginia enacted a law covering Breach of Personal Information Notification in 2008; in 2011 an additional statute specifically related to medical information went into effect. The 2008 law includes requirements for notification of customers in case a person or company doing business in the state suffers a breach in data security.
Breach of Security
What the law says.
“If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth, an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the attorney general and any affected resident of the Commonwealth without unreasonable delay.”
The law also applies to those who maintain data for others, and requires notification “without unreasonable delay” following discovery of a possible breach.
Violations may lead to action by the attorney general, including “a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation.” In addition, “Nothing in this section shall limit an individual from recovering direct economic damages.”
What you can do.
The best thing you can do is to have a system in place to stop security breaches before they occur.
The Federal Trade Commission offers the following checklist:
- Take stock. Know what personal information you have in your files and on your computers.
What kind of information do you collect? Where do you keep the information? Who has – or could have – access to the information?
- Scale down. Keep only what you need for your business.
If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it.
- Lock it. Protect the information that you keep.
Many data compromises happen the old-fashioned way – through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee. Store paper documents or files… in a locked room or in a locked file cabinet. Limit access to employees with a legitimate business need. Control who has a key, and the number of keys.
- Pitch it. Properly dispose of what you no longer need.
What looks like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed.
- Plan ahead.
Create a plan to respond to security incidents.
A Shred Ahead handles both the shredding of paper documents and the secure destruction of computer disks. We help companies doing business in Virginia institute programs designed to comply with state and federal regulations.
Let us do the same for you.
Find the Virginia shredding solution near you:
Abingdon | Alexandria | Charlottesville | Chesapeake | Hampton | Lynchburg | Newport News | Norfolk
Portsmouth | Richmond | Virginia Beach | Williamsburg